summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2010-03-05 - jmc@cvs.openbsd.org 2010/03/05 08:31:20Damien Miller
[ssh.1] document certificate authentication; help/ok djm
2010-03-05 - jmc@cvs.openbsd.org 2010/03/05 06:50:35Damien Miller
[ssh.1 sshd.8] tweak previous;
2010-03-05 - (djm) [configure.ac] set -fno-strict-aliasing for gcc4; ok dtucker@Damien Miller
2010-03-05 - djm@cvs.openbsd.org 2010/03/05 02:58:11Damien Miller
[auth.c] make the warning for a revoked key louder and more noticable
2010-03-05 - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failureDamien Miller
on some platforms
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 23:27:25Damien Miller
[auth-options.c ssh-keygen.c] "force-command" is not spelled "forced-command"; spotted by imorgan AT nas.nasa.gov
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 23:19:29Damien Miller
[ssh.1 sshd.8] move section on CA and revoked keys from ssh.1 to sshd.8's known hosts format section and rework it a bit; requested by jmc@
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 23:17:25Damien Miller
[sshd_config.5] missing word; spotted by jmc@
2010-03-05 - jmc@cvs.openbsd.org 2010/03/04 22:52:40Damien Miller
[ssh-keygen.1] fix Bk/Ek;
2010-03-04 - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in olderTim Rice
compilers. OK djm@
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 20:35:08Damien Miller
[ssh-keygen.1 ssh-keygen.c] Add a -L flag to print the contents of a certificate; ok markus@
2010-03-05 - jmc@cvs.openbsd.org 2010/03/04 12:51:25Damien Miller
[ssh.1 sshd_config.5] tweak previous;
2010-03-04 - djm@cvs.openbsd.org 2010/03/04 10:38:23Damien Miller
[regress/cert-hostkey.sh regress/cert-userkey.sh] additional regression tests for revoked keys and TrustedUserCAKeys
2010-03-04 - djm@cvs.openbsd.org 2010/03/03 00:47:23Damien Miller
[regress/cert-hostkey.sh regress/cert-userkey.sh] add an extra test to ensure that authentication with the wrong certificate fails as it should (and it does)
2010-03-04 - djm@cvs.openbsd.org 2010/03/04 10:36:03Damien Miller
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c] [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h] [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5] Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
2010-03-04 - djm@cvs.openbsd.org 2010/03/04 01:44:57Damien Miller
[key.c] use buffer_get_string_ptr_ret() where we are checking the return value explicitly instead of the fatal()-causing buffer_get_string_ptr()
2010-03-04 - djm@cvs.openbsd.org 2010/03/03 22:50:40Damien Miller
[PROTOCOL.certkeys] s/similar same/similar/; from imorgan AT nas.nasa.gov
2010-03-04 - djm@cvs.openbsd.org 2010/03/03 22:49:50Damien Miller
[sshd.8] the authorized_keys option for CA keys is "cert-authority", not "from=cert-authority". spotted by imorgan AT nas.nasa.gov
2010-03-04 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/03/03 01:44:36 [auth-options.c key.c] reject strings with embedded ASCII nul chars in certificate key IDs, principal names and constraints
2010-03-04 - (djm) [regress/Makefile] Cleanup sshd_proxy_origDamien Miller
2010-03-04 - (djm) [.cvsignore] Ignore ssh-pkcs11-helperDamien Miller
2010-03-04 - (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReqDamien Miller
on XFree86-devel with neutral /usr/include/X11/Xlib.h; imorgan AT nas.nasa.gov in bz#1731
2010-03-04 - (djm) [ssh-keygen.c] Use correct local variable, instead ofDamien Miller
maybe-undefined global "optarg"
2010-03-03 - (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here tooDamien Miller
2010-03-03 - djm@cvs.openbsd.org 2010/03/02 23:20:57Damien Miller
[ssh-keygen.c] POSIX strptime is stricter than OpenBSD's so do a little dance to appease it.
2010-03-03 - djm@cvs.openbsd.org 2010/03/02 23:20:57Damien Miller
[ssh-keygen.c] POSIX strptime is stricter than OpenBSD's so do a little dance to appease it.
2010-03-03 - otto@cvs.openbsd.org 2010/03/01 11:07:06Damien Miller
[ssh-add.c] zap what seems to be a left-over debug message; ok markus@
2010-03-03 - jmc@cvs.openbsd.org 2010/02/26 22:09:28Damien Miller
[ssh-keygen.1 ssh.1 sshd.8] tweak previous;
2010-03-03 - (djm) [PROTOCOL.certkeys] Add RCS IdentDamien Miller
2010-03-01 - (tim) [config.guess config.sub] Bug 1722: Update to latest versions fromTim Rice
http://git.savannah.gnu.org/gitweb/ (2009-12-30 and 2010-01-22 respectively).
2010-03-01 - (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOMDarren Tucker
adjust log at verbose only, since according to cjwatson in bug #1470 some virtualization platforms don't allow writes.
2010-03-01 - (dtucker) [regress/{cert-hostkey,cfgmatch,cipher-speed}.sh} ReplaceDarren Tucker
"echo -n" with "echon" for portability.
2010-02-28 - (tim) [ssh-pkcs11-helper.c] Move declarations before calling functionsTim Rice
to make older compilers (gcc 2.95) happy.
2010-03-01 - (djm) [auth.c] On Cygwin, refuse usernames that have differences inDamien Miller
case from that matched in the system password database. On this platform, passwords are stored case-insensitively, but sshd requires exact case matching for Match blocks in sshd_config(5). Based on a patch from vinschen AT redhat.com.
2010-02-28 - (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environmentDamien Miller
variables copied into sshd child processes. From vinschen AT redhat.com
2010-02-28- (djm) [ssh-pkcs11-helper.c ] Ensure RNG is initialised and seededDamien Miller
2010-02-27 - djm@cvs.openbsd.org 2010/02/26 20:33:21Damien Miller
[Makefile regress/cert-hostkey.sh regress/cert-userkey.sh] regression tests for certified keys
2010-02-27 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
2010-02-24contrib/caldera/openssh.specDamien Miller
contrib/redhat/openssh.spec contrib/suse/openssh.spec
2010-02-24 - (djm) [Makefile.in ssh-pkcs11-helper.8] Add manpage for PKCS#11 helperDamien Miller
2010-02-24 - dtucker@cvs.openbsd.org 2009/11/09 04:20:04Damien Miller
[regress/Makefile keygen-convert.sh] add regression test for ssh-keygen pubkey conversions
2010-02-24 - markus@cvs.openbsd.org 2010/02/08 10:52:47Damien Miller
[regress/agent-pkcs11.sh] test for PKCS#11 support (currently disabled)
2010-02-24 - djm@cvs.openbsd.org 2010/02/24 06:21:56Damien Miller
[regress/test-exec.sh] wait for sshd to fully stop in cleanup() function; avoids races in tests that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@
2010-02-24 - djm@cvs.openbsd.org 2010/02/09 06:29:02Damien Miller
[regress/Makefile] turn on all the malloc(3) checking options when running regression tests. this has caught a few bugs for me in the past; ok dtucker@
2010-02-24 - djm@cvs.openbsd.org 2010/02/09 04:57:36Damien Miller
[regress/addrmatch.sh] clean up droppings
2010-02-24 - dtucker@cvs.openbsd.org 2010/01/11 02:53:44Damien Miller
[regress/forwarding.sh] regress test for stdio forwarding
2010-02-24 - dtucker@cvs.openbsd.org 2009/11/09 04:20:04Damien Miller
[regress/Makefile] add regression test for ssh-keygen pubkey conversions
2010-02-24 - djm@cvs.openbsd.org 2010/02/11 20:37:47Damien Miller
[pathnames.h] correct comment
2010-02-24 - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]Damien Miller
[ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
2010-02-12- (djm) [configure.ac] Enable PKCS#11 support only when we find a workingDamien Miller
dlopen()